The world of cybersecurity has had some fundamental shifts in the past few years that have made the vast majority of companies unprepared for today’s threats. The proliferated use of malware for example has dramatically reduced the intrinsic value of traditional security solutions such as firewalls, IDS/IPS, and anti-virus software. These solutions that use to adequately prevent attacks are now very limited in their risk mitigation value. Most organizations have not updated their cybersecurity technology and solutions to stop today’s threats. It’s like monitoring your front door for a break in while someone comes in the back window.
Even companies that have taken cybersecurity seriously have not always been led the right way by cybersecurity companies. Five, 10, and even 15 years ago, organizations that wanted to take the threats seriously were told they needed 24x7x365 monitoring – paying for really smart cybersecurity professionals to watch the alerts and events as they happen in real-time to be able to respond at a moment’s notice to malicious events. But legacy technologies used to monitor devices rely mostly on human review, not machine intelligence. A common metric for traditional MSSPs is a single security engineer for every 30 devices under management.[su_mental_sff title=”Typical Monthly Device Fee From a Legacy MSSP” value=”$500 – $1,500″ icon=”fa fa-money”]
In the U.S. the average cybersecurity professional makes $116,000/year. That means that the cost to monitor a single device is be $322/month, forcing traditional MSSPs to charge between $500 and $1500/device/month. Of course, at those rates, most companies can only pay for 1 or 2 devices to be monitored – the firewall and IDS/IPS. When asked why you don’t need to monitor more devices, they would talk about your home security system that only has motion detectors near the front door and “choke points” within the home eliminating the needs to monitor every room, door, and window. “As long as you are monitoring the choke points, you are safe”, they would say. So while it is expensive to monitor just a couple of devices, as long as we place those devices in the choke points of the network, you are safe. While this was adequate 5+ years ago, this is not enough today.
Imagine being sold the idea that choke points are enough and then having your daughter kidnapped through a bedroom window. No choke point security system would detect that, allowing the worst case scenario to happen without your security system even tripping. Home security systems relied upon a few choke points in the home because it was very expensive to run wires to every area of the home (especially after it was already built). Today, if you look for a home security system, wireless technology has made it possible to place multiple sensors throughout the house without the use of wires. This makes the cost of securing the entire home from multiple threats much less than traditional use of wired systems. Now, if you talk to home security specialists, they will tell you all the advantages of a system that can monitor every window, every door, and every room for multiple threats like motion, water, carbon monoxide, and fire – all because the technology finally allows them to do this cost effectively.
The same thing has happened with cybersecurity. Cost prohibitive cybersecurity professionals with a 30 to 1 cost ratio was always going to require organizations to rely on choke points. Thankfully technology has evolved as well. Automated correlation and analytics from a properly deployed, configured and tuned Security Information and Event Management (SIEM) technology has the ability to increase the ratio of devices per cybersecurity professional exponentially. With the old technology, there was very little normalization, correlation, threat feed integration and a host of other methods to accurately detect malicious behavior. Cybersecurity professionals would need to troll through event after event and alert after alert looking for the needle in a haystack. Today, SIEM technology can quickly and efficiently find those needles with far less human interaction. This dramatically reduces the number of cybersecurity professions needed for a traditional security operation center (SOC) which means a lower cost per device to organizations. With a lower cost to monitor each device, we can now monitor more devices. Rather than just monitoring choke points we can monitor all windows, doors, and rooms; which is really what was needed all along.
When all critical devices are being monitored and correlated, you can stitch together bits of information across different systems and areas of the network to give you a much more accurate picture of what is happening. In other words, the more devices you monitor, the more accurate the monitoring becomes and therefore the better economies of scale can be achieved.
So what should an organization monitor? Certainly the firewall and IDS are a good idea but we need to go beyond that to where today’s threats actually are targeted. Routers, servers (especially active directory servers), and wireless access points should all be monitored. With current SIEM technology you can monitor all these systems for about the same price as you used to be able to monitor just the firewall and IDS/IPS.
Unfortunately, most legacy MSSPs have gotten addicted to charging clients $500 to $1500/device/month and are unable to change their cost models without dramatically hurting their revenue. Therefore, they continue to try to convince organizations that their prices are fair and competitive. Yet this is quickly crumbling under more and more professionals and organizations realizing that a holistic approach to monitoring is required for true risk mitigation and therefore lower prices are the only way to achieve that.
Monitoring choke points and limited devices or areas of a network will not protect your organization from today’s threats. Monitoring is more important than ever, but real risk mitigation comes with a holistic and cost effective approach to monitoring all possible security events from every possible device. Stop only monitoring your front door for a break in and assuming your business is safe… your back window is open.